UK Information Commissioner’s Office issues undertaking following a breach of the Data Protection Act through the loss of medical records.

October 7, 2013 |

In November 2012 a consultant psychiatrist lost a bag while riding home.  Disappointing and frustrating no doubt but in and of itself normally nothing dramatic there.  Except if the bag contained sensitive personal data.  A consultant psychiatrist working for the Cardiff and Vale University Health Board did just that.  And for these troubles it has been the subject to an undertaking from the Information Commissioner’s Office.

The press release provides:

The Information Commissioner’s Office (ICO) has issued Cardiff and Vale University Health Board with an undertaking following a breach of the Data Protection Act. 

The breach occurred when a consultant psychiatrist was cycling home and lost a bag off the back of their bike which contained sensitive personal data including a mental health act tribunal report relating to a patient, a solicitor’s letter and five CV’s for consultant job applications.

The ICO was informed about the breach on 26 November 2012 and upon contacting the health board was informed that alternative means of transporting the data, such as the use of an encrypted portable device, or remote server access was available. However these options had not been clearly communicated to staff and the staff member involved had not received training at the time of the incident.

Responding to today’s announcement ICO Assistant Commissioner for Wales, Anne Jones, said:

“Given the sensitive personal information health boards handle, it is clear that they must have adequate policies in place to keep patients’ details secure, including rules to ensure that information is only taken off site when absolutely necessary.

“This data breach was entirely avoidable. Having measures in place to keep information secure only works if staff are properly informed of those measures. Staff should not be carrying round sensitive papers because they’re unaware they can remotely access a secure network. It is simply not good enough that a consultant psychiatrist had not received adequate training and had no knowledge of the more secure options available. That is why we have obliged Cardiff and Vale University Health Board to take action.”

The undertaking is found here.

An interesting comparison in approach is found in Case Note 248601 [2013] NZ PrivCmr 4 : Medical practice mitigates future harm after data breach where the New Zealand Privacy Commissioner considered a very similar situation, the loss of sensitive material by a health professional.  The New Zealand regulator’s approach was more informal and less prescriptive (see my commentary in previous post here).  There are special challenges in keeping sensitive data generated in the health sector secure.  Hospitals and clinics usually have a large number of medical staff from various disciplines who want, and sometimes require, access to health records.  Professionals often wish to work at home which, for those wedded to the older ways, means taking files home rather than remotely accessing databases.  In addition there are administrative staff who may not need access to the health records but use the computer system and may need to have access to patient databases for billing, recording and reporting purposes.  Computer stations in hospitals may be in staff areas but they are generally open plan and not manned constantly.  Large hospitals and clinics have part time employees and students.  Without carefully thought out and properly enforced privacy policies the dangers of  breaches of data security are high. A clear example of how important proper training and controls are in the health provider facilities is found in the article Aussie eHealth record data mishap defended by Department of Health.

It provides:

The Australian Department of Health has moved to allay concerns over the alleged leak of confidential eHealth login details, stating that even if it had mistakenly sent login details to the wrong person, they are useless without further details.

On Wednesday morning, an unnamed Adelaide source told ABC News that he had mistakenly been sent an email from the National eHealth Record System Operator that appeared to be intended for someone else with the same last name.

The unnamed man claimed to have been sent a “private login password”, leading to speculation that the eHealth system was securing patient records using plain text passwords. Such practices are deemed insecure by modern standards for a number of reasons, including the fact that most email communications are insecure, and that passwords are often reused by users across several services.

The Department of Health has not yet been contacted by the unnamed source, making it difficult to determine whether any such breach of personal information had occurred. However, the department told ZDNet that passwords, whether they are in plain text or not, are never sent to users. This is despite the unnamed source claiming he was given a password.

Instead, the department said it could be possible that the man was actually sent an “access code” belonging to another person.

“Access codes are used after a person has been registered through assisted registration or at a Medicare office so they can log on for the first time. The code is used once in combination with other information, and then the person sets their own password. The code cannot be used without the additional information or used more than once,” a spokesperson for the department told ZDNet.

“Given nearly 900,000 people are registered, a small number of typographical errors could be expected to occur in the despatch of access codes via text or email.”

As the eHealth records system is linked through the myGov account, users that are unsure of whether their account has been tampered with can use the system’s account history to provide an audit trail. In addition to successful logins, it also shows failed attempts to access an account.

(Image: Screenshot by Michael Lee/ZDNet)

Under the Personally Controlled Electronic Health Records Act 2012, the National eHealth Record Systems Operator is required by law to inform the Office of the Australian Information Commissioner (OAIC) if there has been a breach that compromises the security or integrity of the eHealth records system.

At this point, the department is currently awaiting a response from the individual to determine whether an investigation is necessary. Such an investigation would presumably determine whether the system has actually been compromised. The OAIC is, however, able to conduct an own-motion investigation if it suspects that a breach is occurring and not being reported as required.

The Australian privacy commissioner Timothy Pilgrim told ZDNet that the OAIC is aware of the incident, and is making further enquiries.

And the ABC reports on an Adelaide man who received another’s confidential eHealth Login in Man sent someone else’s eHealth details.

It provides:

An Adelaide man who was mistakenly sent another person’s confidential eHealth login details says he is concerned about the apparent privacy breach.

The eHealth program is being rolled out across Australia to give health professionals and patients access to medical records online.

The man, who wishes not to be identified publicly, says he got an email from the National eHealth Record System operator about having successfully registered.

But he says he had made no such application, and the email seemed intended for someone else with the same last name.

“I’m just concerned that I was sent a private login password for something that I wasn’t entitled to that potentially could seriously breach the privacy of an unsuspecting number of the public,” he said.

“To actually send out a password in that situation, for a government department that is setting up a new system that is inherently privacy-dependent, I think such a simple breach of privacy is very worrying.”

A representative for the federal Health Department says it is very concerned about the matter and will look into the case urgently.

As with any form of regulation it is prudent to both work with the industry but take action when there is a significant infraction.  Not only to deal with the infraction but send out a regulatory message that standards must be met and laxity has consequences.  Unfortunately in Australia the approach has been all too often work towards a messy compromise without any message being sent to the relevant community.  To be fair the powers at the Commonwealth level have been limited and will continue to be so until March 2014.  After that however the Privacy Commissioner will have considerable options to take issue with egregious interfernces with privacy.

Leave a Reply